Vigil@nce : Perl Compress-Raw-Bzip2, buffer overflow
August 2009 by Vigil@nce
An attacker can generate an off by one buffer overflow in Perl
Compress::Raw::Bzip2 module.
Severity: 2/4
Consequences: user access/rights, denial of service of service
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 20/08/2009
IMPACTED PRODUCTS
– Fedora
– Mandriva Enterprise Server
– Mandriva Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Perl Compress::Raw::Bzip2 module is used by Perl programs to
compress and uncompress data.
The bzinflate() function of the Bzip2.xs file uncompresses a data
bloc and adds a ’\0’ terminator at the end. However, this function
does not check if the buffer (of size 4KiB) is big enough to
contain the terminator. An overflow of one byte thus occurs.
An attacker can therefore compress 4KiB of data and send it to an
application using Compress::Raw::Bzip2 in order to generate a
denial of service and eventually to execute code.
CHARACTERISTICS
Identifiers: BID-36082, CVE-2009-1884, FEDORA-2009-8868,
FEDORA-2009-8888, MDVSA-2009:207, VIGILANCE-VUL-8963
http://vigilance.fr/vulnerability/Perl-Compress-Raw-Bzip2-buffer-overflow-8963